Re: [Cfrg] Review of the Balanced PAKE proposals
"Hao, Feng" <Feng.Hao@warwick.ac.uk> Mon, 16 September 2019 13:54 UTC
Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AEAE1200E6 for <cfrg@ietfa.amsl.com>; Mon, 16 Sep 2019 06:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSaW-lNQBm1A for <cfrg@ietfa.amsl.com>; Mon, 16 Sep 2019 06:54:34 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70084.outbound.protection.outlook.com [40.107.7.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67FE51200D8 for <cfrg@irtf.org>; Mon, 16 Sep 2019 06:54:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FMSHyqpZYb54HR38/xziqDS25L0sIPeujhMPY19GCI553a8k8V7PJkcf8OK5TycZHTiGVEacs6tAmCpNyQQWCa4+k314g9IcE8bXAYlZ4hSWRgnDvOuq6JQ8jRWwEgu6LBOKyukoEnBjTZSLSVEthiwArc1JYLQS7/l3j/tI+do+dVyDDddbLF0P7Snx/4CS4WU37lPTuks5YZRRQ6llRd6PleLjLgURVyOi0bt08bkmyxAi94X+aIugew7S+Iljvg2uVJFFKj0PoHyt5gxPEW1q+PMue0JxIiZ/gbe0LkUR2eo9VuLGlV6AW05o3BQB79MkWA87PMoJSPVto5GlVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NbZL8AZqtdmDqKo/vGL98EN6OAhJT2YAJgM8dDy9YiI=; b=FdKphdkmnvJfjM3cHf3pND9gcz13fWtrtv49HvO42eA1PSZoiljJPWrd3Deuong04uoIQBo/oUmKcVYnlhKd65V6YScPHHkbTtUVBd6o4WKTL6ofG+tUJqwWYVdKuASpRsVx3efpHYOU77Eh5HAHKFH1/8zEcwXIYU1C0v2F6z7y4zemf6iBZui5cCeDFG+6aeIS2QBguUfAY5astCMeOyVYy/VgTH+/xHQQuPSJJ37wgQEDKOLhx+q0eH4yJTwMbkNKmCLzVa/tEBnHvUZgmHyXYNlfPQmo7HDhR0tQf8GcIGm3FEv0tVTgbJyEvO749fHgttRarf664MtsA/7TgA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB5013.eurprd01.prod.exchangelabs.com (20.177.192.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.14; Mon, 16 Sep 2019 13:54:30 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5%7]) with mapi id 15.20.2263.023; Mon, 16 Sep 2019 13:54:30 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
CC: "cfrg@irtf.org" <cfrg@irtf.org>, Bruno Blanchet <bruno.blanchet@inria.fr>
Thread-Topic: [Cfrg] Review of the Balanced PAKE proposals
Thread-Index: AQHVbHF/t4Wi8Ux0WEOTp7OsyXXq0qcuZGWA
Date: Mon, 16 Sep 2019 13:54:29 +0000
Message-ID: <0442918D-3747-4B82-A13E-E24C9CF0B53A@live.warwick.ac.uk>
References: <0791DF4A-098E-4753-B886-BFC2D7DA1F97@gmail.com> <05193CDF-D4D7-425D-92B4-B29E7EF5B63E@inria.fr>
In-Reply-To: <05193CDF-D4D7-425D-92B4-B29E7EF5B63E@inria.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.b.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.166]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 495aa689-fd8f-406d-97e1-08d73aad6564
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DB7PR01MB5013;
x-ms-traffictypediagnostic: DB7PR01MB5013:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <DB7PR01MB5013D579A6913AAD7891D8ECD68C0@DB7PR01MB5013.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0162ACCC24
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(366004)(39860400002)(396003)(346002)(189003)(199004)(76176011)(102836004)(186003)(53936002)(6486002)(786003)(8676002)(6246003)(8936002)(9326002)(4326008)(229853002)(2501003)(14454004)(236005)(7736002)(11346002)(6436002)(2906002)(86362001)(446003)(110136005)(76116006)(478600001)(33656002)(91956017)(790700001)(58126008)(6512007)(316002)(3846002)(6116002)(81166006)(71190400001)(99286004)(6306002)(5660300002)(71200400001)(66066001)(81156014)(54896002)(256004)(66476007)(66946007)(66446008)(66556008)(966005)(64756008)(6506007)(14444005)(25786009)(476003)(26005)(606006)(486006)(54906003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB5013; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Yt8n5UYfL/nlzpVTh4wK583rEQn2dvpcdKjJ5cP07YDFPfUYdbLv9ivj+7E8zZq00FYoCPjKhhGdp2S1LRl+NolADUZkcbjyD2JpKf3FiSD0ZEBV02L0ruw0Umc3w8Icxe8al49zp8eneSzo1pxoblHVRkPw+RjV9jSZW0z6r3U+Sl2qDSab+yAPYxAsesRCx7JJmyybQ2jwdJXlvxTdGyL8e4lDV4iXFCv4kGXaYnpJym+hWwWQBCE66HFrElzTvJv66/BGodepy019ylzibnkDMOUAuHP6UOyeIgZ4K6hRYQy770VUEeQlXcSITlwkXnTnPYb6PsD10jVLYnA0q87CdOUZwCYTw0YpugOAq09Epk6gEm8oFqmRE6dgu64Whr7ZriebkljkcSVlxn32WNa/CK/eyS8nPnJQAJLdfKM=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0442918D37474B82A13EE24C9CF0B53Alivewarwickacuk_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 495aa689-fd8f-406d-97e1-08d73aad6564
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2019 13:54:29.9659 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Dv9Wg1N2yaSMhrcA9LIY5NeHpIVPbTKUBEZJlYH4pH4nZdUZg+8iAj20ODz2y2X3B6MYOzCniEnjQ165QrS3U9IYoy8a8Uncx6Xh28IP03I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB5013
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fVYQpLfzmSR_qg7MqGsAh5Cj5K0>
Subject: Re: [Cfrg] Review of the Balanced PAKE proposals
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 13:54:38 -0000
Hi Karthink, Many thanks for your constructive feedback (and the analysis by Bruno). Please refer to my comments below. “The proposed variant of SPEKE belongs to a long line of well-studied protocols. The specific protocol proposed here is the one by Hao and Shahandashti [1] “ As you rightly point out, there are many variants of SPEKE. Actually I don’t know which exact SPEKE variant was proposed for this selection. In Dan’s submission, he cites [2] IACR 2001/057 for the security proof of SPEKE, but also states the submitted SPEKE is symmetric and allows the parties to initiate the key exchange simultaneously. However, from [2] it should be clear that what was analysed there is essentially a “modified” SPEKE with mandatory key confirmation. The version described in [2] is certainly not symmetric, and the two parties can’t initiate the process simultaneously. It also requires more rounds. What we report in [1] is a limitation in the SPEKE protocol (as specified in Jablon’s original papers and in the IEEE P1363.2 and ISO/IEC 11770-4 standards), namely: the user identity is not cryptographically bound with the key exchange flows, which gives rises to some authentication issues (unknown key sharing attack). The attacks don’t apply to the variant in [2] as the key confirmation is defined mandatory, but everywhere else (IEEE and ISO/IEC standards) it’s defined as optional. To avoid any confusion, I think it’s best to leave it to Dan Harkins to clarify which exact SPEKE specification he was referring to in the submission. “This version does not appear to have a proof.” I would like to refer you to the updated paper that is recently published at IEEE TIFS 2018. https://arxiv.org/pdf/1802.04900.pdf As acknowledged in the paper (last paragraph in Section VI), although we analyzed the effectiveness of the proposed countermeasure, we don’t have any reductionist proof. In my personal opinion, it’s impossible to have any reductionist proof based on common assumptions (CDH, DDH etc). There are an unbounded number of ways for the attacker to fabricate data of any format. It seems inevitable that we are stuck with the heuristic security as it is. “Bruno observes that the above protocol has a reflection-style attack where A can be fooled into thinking it has a session with B although it only has a session with itself. Suppose A is willing to act as Initiator and Recipient in different sessions …” I’m not sure if the attack would work though. Please see [1] and the published version above. Kindly note that in concurrent sessions, the party should add an extension to the identity to make it unique. This is explained in both papers. We can take this discussion offline or wait for Dan to clarify which version was submitted so to keep the discussions relevant to this PAKE selection process. “We wonder whether it would not be better to consider more efficient variants of J-PAKE, as proposed in [7], for example.” The two variants of J-PAKE in [7] rely on a trusted setup and a hash-to-curve function respectively. The original idea in the J-PAKE construction is exactly to remove these. Indeed, if we reply on either of these, other PAKE protocols would be more desirable. [4] https://www.dcs.warwick.ac.uk/~fenghao/files/pw.pdf [5] https://eprint.iacr.org/2010/190.pdf [6] https://www.normalesup.org/~fbenhamo/files/publications/SP_AbdBenMac15.pdf [7] https://eprint.iacr.org/2016/379.pdf
- [Cfrg] Review of the PAKE proposals Yoav Nir
- [Cfrg] Integration of OPAQUE in IKEv2 Hugo Krawczyk
- Re: [Cfrg] Integration of OPAQUE in IKEv2 Valery Smyslov
- Re: [Cfrg] Integration of OPAQUE in IKEv2 Hugo Krawczyk
- Re: [Cfrg] Integration of OPAQUE in IKEv2 Yoav Nir
- [Cfrg] Review of the Balanced PAKE proposals Karthik Bhargavan
- Re: [Cfrg] Review of the Balanced PAKE proposals Hao, Feng